nerdexam
What's Actually Tested on CAS-005
CompTIAUpdated June 13, 2026

What's Actually Tested on CAS-005

A practitioner breakdown of what the CAS-005 exam tests and how to prepare.

By NerdExam Editorial Team · Published June 13, 2026

What the CompTIA SecurityX (CAS-005) Exam Actually Tests

The CAS-005 is CompTIA's advanced-level security certification, replacing CAS-004 and rebranded under the SecurityX name. It targets practitioners with at least ten years of IT experience, including five or more in hands-on security roles. This is not a memorization exam. It tests your ability to analyze scenarios, synthesize competing priorities, and make defensible security decisions in complex enterprise environments.

If you are preparing, start by reviewing the CAS-005 study guide to map your existing knowledge against the domains before you commit to a study schedule.

The four domain areas below represent the actual content the exam covers. Each section describes what skills are tested, what conceptual depth is expected, and where candidates typically struggle.

Governance, Risk, and Compliance

This domain is broader than it sounds. CAS-005 does not test whether you can define risk terminology. It tests whether you can apply risk frameworks to real enterprise scenarios and make trade-off decisions under constraints.

What is actually tested:

  • Selecting and integrating risk frameworks (NIST RMF, ISO 27001, COBIT) in context. You need to know not just what each framework contains but when to use one over another, and how to reconcile conflicting requirements when an organization spans multiple regulatory jurisdictions.
  • Third-party and supply chain risk. This includes vendor risk assessment, contractual controls, and evaluating the security posture of partners who have access to your environment or data. Expect scenario-based questions where a supplier introduces risk and you have to determine the appropriate control or response.
  • Compliance mapping across overlapping frameworks. Many organizations must satisfy PCI-DSS, HIPAA, SOC 2, and state-level privacy laws simultaneously. The exam tests your ability to identify gaps, avoid duplicating controls, and prioritize remediation based on risk exposure.
  • Policy development and enforcement mechanisms. You will be expected to understand how policies cascade from governance documents into technical controls, and how to evaluate whether a policy is enforceable or merely aspirational.
  • Risk appetite and risk tolerance. These are not interchangeable terms on this exam. Expect questions that require you to distinguish between the two and justify a security investment or exception decision based on organizational risk appetite.

Where candidates struggle:

Most test-takers underestimate this domain because they treat it as soft knowledge. The harder questions here involve multi-part scenarios where legal, operational, and security requirements are in tension. You must be able to articulate why one control satisfies a compliance requirement better than another in a specific context, not just generically.

Security Architecture

This is one of the highest-weighted domains on CAS-005 and the area where the exam demands the most systems-level thinking. Architecture questions require you to design, evaluate, and improve security controls across complex, heterogeneous environments.

What is actually tested:

  • Zero Trust architecture principles. This goes well beyond the buzzword. You are expected to understand identity-centric access, micro-segmentation, continuous verification, and how to transition a legacy perimeter-based network toward a Zero Trust model without breaking operations.
  • Cloud and hybrid environment design. Questions cover multi-cloud security architecture, workload isolation, cloud-native controls versus third-party solutions, and shared responsibility boundaries. You need to understand how security architecture decisions differ between IaaS, PaaS, and SaaS deployments.
  • Secure network design. This includes defense-in-depth segmentation, secure remote access architectures (ZTNA versus traditional VPN), and how to architect networks that support both operational technology (OT) and information technology (IT) environments.
  • Cryptographic architecture. Expect questions on key management at scale, public key infrastructure design, certificate lifecycle management, and the architectural implications of algorithm deprecation (including post-quantum considerations).
  • Resilience and redundancy. Architecture is not just about preventing attacks. The exam tests your understanding of high availability design, failover strategies, backup architecture, and disaster recovery planning from a security perspective.

Where candidates struggle:

Candidates with strong hands-on backgrounds sometimes answer these questions too tactically. When the exam asks what architecture best supports a given requirement, it is looking for design rationale, not a list of specific tools. Practice thinking in terms of trust boundaries, data flows, and control placement.

The CAS-005 practice questions on NerdExam include scenario-based architecture items that help you develop this kind of structured reasoning.

Security Engineering

Security engineering tests your ability to implement and evaluate technical security controls. The difference from architecture is the level of specificity - engineering questions get into the mechanics of how controls work, not just where they fit in a design.

What is actually tested:

  • Identity and access management implementation. This includes federated identity, SAML, OAuth, OIDC, privileged access management (PAM), and how to evaluate IAM implementations for weaknesses. You need to understand not just how these protocols work but what attack vectors they introduce when misconfigured.
  • Endpoint and application hardening. Secure baseline configurations, application control, firmware security, and OS-level hardening are all in scope. The exam often presents a scenario where a system is partially hardened and asks you to identify the remaining gaps.
  • Vulnerability management at scale. This covers the full cycle from discovery to remediation prioritization. Expect questions on CVSS scoring interpretation, exploitability context, compensating controls, and how to communicate risk from vulnerability findings to non-technical stakeholders.
  • Security automation and orchestration. SOAR platforms, scripting for security tasks, and integrating disparate security tools into a cohesive workflow are tested. You do not need to write production code, but you do need to understand how automation changes detection and response timelines.
  • Secure development and DevSecOps. The exam covers how to integrate security into CI/CD pipelines, including static analysis, software composition analysis, container security, and secrets management in development workflows.

Where candidates struggle:

Engineering questions reward depth. Candidates who know a topic at a conceptual level often lose points here because they cannot distinguish between two technically valid answers that are appropriate in different contexts. Precision matters.

Security Operations

This domain tests your ability to respond to threats, investigate incidents, and operate security programs in a sustained way. It is not just about incident response process - it emphasizes analytical judgment and operational decision-making.

What is actually tested:

  • Threat intelligence integration. Consuming, evaluating, and acting on threat intelligence is a core skill. This includes understanding threat actor taxonomy, campaign attribution, indicator management, and how to operationalize intelligence in detection and hunting workflows.
  • Incident response and forensics. Expect scenarios that test your ability to prioritize containment versus evidence preservation, scope an incident from initial indicators, and determine appropriate escalation paths. Digital forensics questions cover memory acquisition, log analysis, and chain of custody.
  • Detection engineering. Writing and tuning detection logic, reducing false positives, and aligning detections to frameworks like MITRE ATT&CK are all tested. The exam expects you to evaluate detection coverage, not just describe how SIEM tools work.
  • Threat hunting. You will be expected to describe a hypothesis-driven hunting approach, identify data sources required for specific hunts, and evaluate the results of a hunt against a known threat model.
  • Monitoring and logging architecture. Centralized logging, log retention requirements, and the trade-offs between log fidelity and storage cost are fair game. Expect questions where you must select the most relevant data sources for a given investigation.

Where candidates struggle:

Operations candidates who are strong practitioners sometimes rely on experience rather than framework knowledge. This exam rewards candidates who can articulate their operational decisions in structured terms. If you know what you would do in an incident but cannot explain why it aligns with a specific phase of the NIST incident response lifecycle or a comparable framework, you will leave points on the table.

How to Use This Structure in Your Prep

The four domains are not equal in weight, and your study plan should reflect that. Start with your weakest area based on an honest self-assessment, then use structured practice to identify specific gaps rather than broad topic review.

The CAS-005 exam catalog page has the current domain weightings and exam logistics you need before you register.

Focus especially on scenario-based practice. The CAS-005 uses performance-based and scenario-anchored questions heavily. Drilling isolated facts will not prepare you for questions that require you to synthesize information across multiple domains and justify a course of action. Practice making decisions, not just recalling definitions.